How to fix open redirect issue in java

Question

Currently my java code uses

response.sendRedirect(request.getRequestUrl().toString());

Which is an open redirect.

I have to fix this but I can not white list it since there are too many URL's are associated with it.

I have tried the following solution with ESAPI but it wont work for me.

ESAPI.httpUtilities().setCurrentHTTP(req, resp);
ESAPI.httpUtilities().sendRedirect(location);
ESAPI.httpUtilities().clearCurrent();

I am new to ESAPI.

Answer 1

Thanks for all your suggestions and comments. I found that the lines

ESAPI.httpUtilities().setCurrentHTTP(req, resp);
ESAPI.httpUtilities().sendRedirect(location);
ESAPI.httpUtilities().clearCurrent();

Is now working fine for me, after a long struggle I found that my code is using latest version of commons-configuration.jar but when I added Esapi as a dependency the Esapi used an old version of the same and that was not compatible with my code so I just excluded the this from Esapi dependency using the exclusion in pom and it worked for me.

Answer 2

You definitely are going to want to white-list this, at least at a minimum, based on domain names. Restrict it as much as possible. E.g., if your app is hosted at https://myApp.example.com/ redirecting to anywhere on your site is probably okay. (I write probably, because if it can be used as a way to bypass authorization checks, say on a multi-sequence page series, then it might not be okay. But as long as your regular authorization checks pick up and validate the redirect, you generally will be okay.) But what about redirects to https://anotherApp.example.com/? Would those be okay? What about anything in the "example.com" domain? Are their other 3rd party domains that you need to white-list? If so, be sure to list those URLs as well. But the one thing that you want to avoid are completely open redirects and for that you need some type of white-listing. You could build some custom validators using ESAPI to do this, but it's probably just easier to write it without ESAPI. If you have a bunch of URLs that you have to white-list, keep them in a configuration file that's not part of your .war / .ear file so you can easily update it without redeploying your application and just (re)read the config file when it gets updated.

Hope this helps.

-kevin

Answer 3

[Disclaimer]

I'm project co-lead on ESAPI.

I have to fix this but I can not white list it since there are too many URL's are associated with it.

Essentially, "I have to fix the problem, but I am restricting myself from the easiest solution."

Here are the best practices enumerated by @jww:

1. Simply avoid using redirects and forwards.

2. If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL.

3. If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.

4. It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.

5. Sanitize input by creating a list of trusted URL's (lists of hosts or a regex).

6. Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.

These are literally all the solutions available to you. Some web frameworks make this easy for you, like Spring MVC with Spring Security.

These lines:

 ESAPI.httpUtilities().setCurrentHTTP(req, resp);
 ESAPI.httpUtilities().sendRedirect(location);
 ESAPI.httpUtilities().clearCurrent();

Don't work because you have to inspect the user input before performing the redirect.